Tuesday, October 18, 2016

Yahoo Email Surveillance: the Next Front in the Fight Against Mass Surveillance

In a bombshell published today, Reuters is reporting that, in 2015, Yahoo complied with an order it received from the U.S. government to search all of its users’ incoming emails, in real time.

There’s still much that we don’t know at this point, but if the report is accurate, it represents a new—and dangerous—expansion of the government’s mass surveillance techniques.

This isn’t the first time the U.S. government has been caught conducting unconstitutional mass surveillance of Internet communications in real time. The NSA’s Upstream surveillance program—the program at the heart of our ongoing lawsuit Jewel v. NSA—bears some resemblance to the surveillance technique described in the Reuters report. In both cases, the government compels providers to scan the contents of communications as they pass through the providers’ networks, searching the full contents of the communications for targeted “selectors,” such as email addresses, phone numbers, or malware "cybersignatures."

Mass surveillance of Yahoo’s emails is unconstitutional for the same reasons that it's unconstitutional for the government to copy and search through vast amounts of communications passing through AT&T’s network as part of Upstream. The sweeping warrantless surveillance of millions of Yahoo users’ communications described in the Reuters story flies in the face of the Fourth Amendment’s prohibition against unreasonable searches. Surveillance like this is an example of “general warrants” that the Fourth Amendment was directly intended to prevent. (Note that, as we’ve explained before, it is irrelevant that Yahoo itself conducted the searches since it was acting as an agent of the government.)

While illegal mass surveillance is sadly familiar, the Yahoo surveillance program represents some deeply troubling new twists.

First, this is the first public indication that the government has compelled a U.S.-based email provider—as opposed to an Internet-backbone provider—to conduct surveillance against all its customers in real time. In attempting to justify its warrantless surveillance under Section 702 of the FISA Amendments Act—including Upstream and PRISM—the government has claimed that these programs only “target” foreigners outside the U.S. and thus do not implicate American citizens’ constitutional rights. Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users.

Second, the story explains that Yahoo had to build new capabilities to comply with the government’s demands, and that new code may have, itself, opened up new security vulnerabilities for Yahoo and its users. We read about new data breaches and attempts to compromise the security of Internet-connected systems on a seemingly daily basis. Yet this story is another example of how the government continues to take actions that have serious potential for collateral effects on everyday users.

We hope this story sparks further questions. For starters: is Yahoo the only company to be compelled to engage in this sort of mass surveillance? What legal authority does the government think can possibly justify such an invasion of privacy? The government needs to give us those answers.

Update:The New York Times, in a follow up article, reported that the "innovative" order required Yahoo to search its incoming email for a specific "digital 'signature'" used by a terrorist organization. According to the article, Yahoo is the only company to receive such an order, and the surveillance has now terminated.

Finally, this is a perfect example of why we need to reform Section 702 and rein in the NSA’s mass surveillance programs. Absent such reform, Congress must not reauthorize Section 702 when it expires at the end of next year.